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Abstract. Recent revelations by Edward Snowden [PLS13, BBG13, Grel4] show that a user's own hardware 

and software can bo used against her in various ways (e.g., to leak her private information). And, a series 
of recent announcements has shown that widespread implementations of cryptographic software often contain 
serious bugs that cripple security (e.g., [LHA"'"12, CVE14b, CVE14a, CVE14c]). This motivates us to consider 
the following (seemingly absurd) question: How can we guarantee a user's security when she may be using a 
malfunctioning or arbitrarily compromised machine? To that end, we introduce the notion of a cryptographic 
reverse firewall (RF). Such a machine sits between the user's computer and the outside world, potentially 
modifying the messages that she sends and receives as she engages in a cryptographic protocol. 

A good reverse firewall accomplishes three things: (1) it maintains functionality, so that if the user's computer 
is working correctly, the RF will not break the functionality of the underlying protocol; (2) it preserves security, 
so that regardless of how the user's machine behaves, the presence of the RF will provide the same security 
guarantees as the properly implemented protocol; and (3) it resists exfiltration, so that regardless of how the 
user's machine behaves, the presence of the RF will prevent the machine from leaking any information to the 
outside world. Importantly, we do not model the firewall as a trusted party. It does not share any secrets with 
the user, and the protocol should be both secure and functional without the firewall (when it is implemented 
correctly) . 

Our security definition for reverse firewalls depends on the security notion(s) of the underlying protocol. 
As such, our model generalizes much prior work (e.g., [OO90, YY96, BBS98, BPR14a]) and provides a general 
framework for building cryptographic schemes that remain secure when run on compromised machine. It is also 
a modern take on a line of work that received considerable attention in the 80s and 90s (e.g., [Sim84, Sim85, 
BD91, Des90, Des94, BDI+96, BBS98]). 

We show that our definition is achievable by constructing a private function evaluation protocol with a 
secure reverse firewall for each party. Along the way, we design an oblivious transfer protocol that also has a 

secure RF for each party, and a rerandomizable garbled circuit that is both more efficient and more secure 
than previous constructions. Finally, we show how to convert any protocol into a protocol with an exfiltration- 
resistant reverse firewall for all parties. (In other words, we provide a generic way to prevent a tampered 
machine from leaking information to an eavesdropper via any protocol.) 

1 Introduction 

Recent revelations of Edward Snowden show that powerful actors will go to remarkable lengths to obtain 
secret information. In particular, the National Security Agency has engineered a backdoor into a public 
cryptographic standard [PLS13, BBG13] and intercepted hardware as it was being delivered to customers 
in order to tamper with it [Grel4]. Meanwhile, multiple serious flaws have been uncovered in widely 
used implementations of cryptographic protocols, leaving many users vulnerable to simple but devastating 
attacks (e.g., [LHA^12, CVE14b, CVE14a, CVE14c]). The extreme complexity of modern cryptographic 
implementations makes it extremely difficult for experts (let alone the typical user) to detect such vulner- 
abilities, even when they are introduced innocently. Attackers that deliberately insert such vulnerabilities 
into hardware and software can make this even harder by using cryptographic methods to cover their 
tracks. 

So, facing the disturbing (and quite real) possibility of a compromise that reaches inside one's commu- 
nication platform, we consider the following seemingly paradoxical question: Can we design cryptographic 
protocols that achieve meaningful security when the adversary may arbitrarily tamper with the victim's 
computer? 

To resolve this question, we present a strong and general notion of security in the presence of an active 
tampering adversary and show how to instantiate powerful cryptographic primitives in this model. Of 



course, if Alice's computer simply chooses to replace her first message to Bob in some protocol with, for 
example, her secret business plans, we cannot hope to guarantee her security without some sort of help. 
Inverting the metaphor from network security, we propose and investigate the power of a (cryptographic) 
reverse firewall — an entity whose role is to protect cryptographic schemes and protocols from insider 
attacks. Informally, a cryptographic reverse firewall (RF) is a machine run by a third party (e.g., a security 
contractor hired by Alice's employer) that sits somewhere between Alice and the outside world and prevents 
Alice's computer from compromising her security by potentially modifying the messages that it sends 
and receives. In contrast to the standard firewall, the focus of a reverse firewall is on the inside of the 
perimeter. In particular, one important goal of reverse firewall is prevention of exfiltration attacks. Our 
primary contribution is the definition of reverse firewalls and the additional level of security that they 
bring to cryptographic protocols. 

More specifically, we define three desirable properties of reverse firewalls. First, a reverse firewall should 
maintain functionality. I.e., if Alice's computer is behaving as it should, then the RF should not break 
the underlying functionality of the protocol. Second, a reverse firewall should preserve security. I.e., if the 
protocol without the RF present provides some security guarantee when Alice's computer behaves as it 
should, then the protocol with the RF present should provide this same security guarantee regardless of 
how Alice's computer behaves. Finally, a reverse firewall should resist exfiltration. Intuitively, an RF is 
exfiltration-resistant if Alice's tampered implementation cannot leak any information to the outside world 
through the firewall. 

We defer much of the discussion of our definition to Section 2, where we introduce it formally. We 
emphasize, however, that the reverse firewall is not a trusted third party, and we do not rely solely on 
it for security. If Alice's implementation of the protocol is correct, then the protocol should be secure 
and functional without the firewall. In other words, we ask that the firewall preserves security, not that 
it provides it. In addition, the RF only has access to Alice's incoming and outgoing messages and any 
public parameters — not to Alice's state or input or any shared secrets. In effect, we place no more trust 
in the reverse firewall than we do in the communication medium. (We additionally require that firewalls 
be "stackable," so that one party may have arbitrarily many firewalls. Security is then guaranteed if just 
one of the firewalls is implemented correctly — or if Alice's own implementation is correct.) 

Note that our security definition is quite strong, as it imagines the adversary "living inside of our 
computer." Consider, for example, a secure coin-flipping protocol in which Alice wishes to agree on a fair 
coin toss with Bob. Informally, the protocol is secure for Alice in the standard setting (i.e., without reverse 
firewalls) if Bob cannot bias the resulting coin toss alone. In our setting, we imagine both parties working 
together to bias the coin toss in Bob's favor. (Bob is adversarial as always, and in our setting. Bob may 
have also tampered with Alice's computer so that it is effectively "on Bob's side.") The only defense against 
this attack is a reverse firewall that can modify the messages that Alice sends and receives but must do 
so in a way that does not break the protocol when Alice and Bob are honest. (And, again, it must do so 
without access to any privileged information.) 

In spite of this strength, we show that security in this model is achievable for very strong primitives. 
Indeed, we construct a two-round private function evaluation protocol that is secure in this model (Sec- 
tion 4). In particular, each party in this protocol has a corresponding secure reverse firewall. In other 
words, we show a relatively simple protocol that allows Alice and Bob to jointly and securely compute 
any circuit with the remarkable property that a reverse firewall can guarantee Alice's security even when 
Bob has tampered with her computer, and vice versa. This immediately shows that a very large class of 
two-party primitives can be realized securely in this model. The main ingredients for this protocol are an 
oblivious transfer scheme that itself has a secure reverse firewall for each party (Section 3) and a rerandom- 
izable version of Yao's garbled circuit (Section 4.1). Our oblivious transfer protocol is a modified version 
of the Naor-Pinkas/Aiello-Ishai-Reingold protocol [NPOl, AIROl]. Our rerandomizable garbled circuit is 
significantly more efficient than the construction of Gentry et al. [GHVIO], and it achieves a stronger 
notion of rerandomizability. (See Section 1.1 for further comparison.) 
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Finally, in Section 5, we show a generic construction that can convert any protocol into a protocol 
with the same functionality that has an exfiltration-resistant reverse firewall. In other words, we provide a 
generic way to prevent a tampered machine from leaking information to an eavesdropper via any protocol. 
So, for the important special case in which Alice is primarily concerned with passive eavesdroppers, we 
show that any multiparty functionality can be implemented in our model. 

Our protocols are described in full in terms of basic group operations, and we avoid using "heavy 
machinery" like non-interactive zero-knowledge proofs in our constructions. In particular, this means that 
our protocols are relatively simple and efficient and that the security of our constructions follows from 
relatively weak complexity-theoretic assumptions (namely, the slight variants of the decisional Diffie- 
Hellman assumption presented in Appendix B). 

1.1 Related work 

In this section we give a summary of related prior work, starting with the most directly comparable and 
recent literature. Given the size and the scope of existing work dealing with various models of insider 
attacks and mitigation strategies, our focus is on the similarities and differences between our work and 
prior art rather than a comprehensive review of all previous approaches. 

Algorithm-substitution attacks. Motivated by the potential threat of powerful adversaries subvert- 
ing implementations of cryptographic algorithms, Bellare, Paterson, and Rogaway recently proposed a 
formalization of the notion of resilience of symmetric encryption schemes to algorithm-substitution at- 
tacks (ASA) [BPR14a]. They observe that modern standards for symmetric encryption crucially rely on 
sender-chosen randomness to attain acceptable security levels. Since these standards do not include any 
mechanisms for ensuring that randomness used in the encryption stage is unbiased, they effectively enable 
a communication channel, which a corrupt implementation may use to leak information to an external 
party. 

Bellare et al. define a general framework for ASA security, identifying two adversarial goals — avoiding 
detection and conducting surveillance. They cast several algorithm-substitution attacks against symmetric- 
key encryption in this framework, showing that widely deployed secure communication protocols, such as 
SSL/TLS, IPsec, and SSH, are vulnerable to these attacks. Furthermore, they present a universal, essen- 
tially undetectable attack effective against any stateless, randomized symmetric-key encryption scheme. 

On the positive (defensive) side, Bellare et al. advocate using stateful, deterministic encryption schemes 
with unique ciphertexts as a counter-ASA measure. They construct a provably ASA-resilient encryption 
scheme based on the encode-then-encipher paradigm, and prove that all nonce-based schemes satisfying 
a natural non-degeneracy condition can be converted into stateful schemes with unique ciphertexts by 
choosing their nonces sequentially. 

Our work extends Bellare et al. in several directions. First, we include in our treatment arbitrary two- 
and multi-party protocols, as opposed to just symmetric-key encryption. . Second, we shift our objective 
from developing primitives that are ASA-resilient by design to constructing protocols that are reverse- 
firewall-ready. Bellare et al. only achieve security against adversaries that do not break the functionality of 
the encryption scheme ("functionality-maintaining adversaries" in our terminology) . By making a stronger 
assumption — availability of an uncorrupted reverse firewall we arc able to achieve stronger security guar- 
antees, such as security against tampered implementations that break functionality. 

Our results and techniques can be viewed as complementary. Whereas Bellare et al. make a strong case 
for suppressing "freedom of choice" in cryptographic primitives, we demonstrate that additional randomness 
can be injected by an intermediary in some protocols to achieve stronger security guarantees for a much 
wider range of primitives. 

Collusion-free protocols and mediated collusion-free protocols. Informally, Lepinski, Micali, and 
shelat say that a multi-party protocol is collusion-free if the parties cannot communicate information 
about their private inputs to each other via the protocol [LMs05]. For example, a collusion-free protocol 
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for the game of poker allows parties to play a hand of poker, but it does not allow them to communicate 
information about their cards to other players during the hand. 

This notion resembles our definition of exfiltration resistance in that it disallows subliminal commu- 
nication via the protocol, but the two notions are incomparable. On one hand, the definition of Lepinski 
et al. is much stronger than ours because it does not allow the use of a third-party reverse firewall to 
prevent subliminal communication. On the other hand, it is much weaker because it specifies what specific 
information parties are not allowed to communicate. Indeed, their constructions involve a setup phase that 
is conducted before the parties are given their inputs, and the authors observe that this setup phase can be 
used as a subliminal channel. So, in our model, their protocols are completely insecure. Their constructions 
also require strong physical assumptions to ensure verifiable determinism. 

To avoid the need for the setup phase and physical assumptions, Alwen, shelat, and Visconti introduce 
the mediated model for collusion- free protocols [AsV08]. In this model, all communication between the 
parties is routed through a mediator. Intuitively, the mediator rerandomizes the parties' messages in much 
the same way that our reverse firewalls do. However, the mediator is much more powerful than a reverse 
firewall in that (1) it intercepts all parties' messages and (2) it may exchange messages with the parties 
in any order. In contrast, our firewall modifies the messages sent and received by a single party in an 
online fashion, and we require our protocols to work without the firewall present. Because Alwen et al. 
give the mediator this additional power, they must explicitly model security against the mediator as a 
separate property of the protocol. In contrast, we get security "against the firewall" for free, as a natural 
consequence of the security of the underlying protocol. Their security definition is also stronger in the 
sense that it includes a strong notion of secure multi-party computation. While our notion of security 
preservation allows for such security, we intentionally do not require it in general. 

Subliminal channels and divertible protocols. A long scries of works explored the idea of sub- 
liminal channels in various cryptosystems (e.g., [Sim84,Sim85,BD91,Des90,Des94,BDI^96,BBS98]). Sim- 
mons [Sim84] introduced the notion by showing subliminal channels in various signature and authentication 
schemes. The underlying theme of this work is a story in which two prisoners, Alice and Bob, wish to 
communicate in some sanctioned way through the prison's warden (e.g., Alice wishes to tell Bob in some 
authenticated manner that she has not been harmed). The warden wishes to remove any subliminal mes- 
sages from this communication (e.g., to prevent Alice from communicating escape plans to Bob).. The 
warden in this story is quite similar to our reverse firewall, and the notion of a subliminal-free chan- 
nel is closely related to our notion of exfiltration resistance. Because of the wide body of work with a 
variety of definitions, results, and applications, we focus on a small portion that is most related to our 
work — divertible protocols. 

Intuitively, a protocol is divertible if a warden sitting between Alice and Bob can rerandomize the 
messages of both parties so that (1) neither party is aware of the warden's existence and (2) neither 
party can distinguish between an interaction with a dishonest party with the warden in the middle and 
an interaction with an honest party. Okamoto and Ohta provided the first definition of divertibility for 
zero-knowledge proofs [OO90] (based on earlier definitions of subliminal-free zero-knowledge proofs) , and 
Burmester et al. showed that all languages in NP have a divertible zero-knowledge proof [BD91, BDI+99]. 
These simple and elegant constructions immediately provide zero-knowledge proofs with reverse firewalls 
for all languages in NP. 

Blaze, Bleumer, and Strauss showed how to generalize and strengthen the definition of divertibility 
to apply to any two-party cryptographic protocol [BBS98]. Indeed, their prescient definition comes close 
to our notion of a protocol with an exfiltration-resistant reverse firewall. We highlight three primary 
differences between their work and ours. 

1. In our terminology. Blaze et al. consider only exfiltration resistance and not security preservation. 
In some applications (e.g., zero-knowledge proofs), the two properties are equivalent, but in many 
important applications (such as those that we consider in the sequel), the two properties are very 
different. (See Section 2.3 for further discussion of the distinction between these two properties.) 
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2. Blaze et al. implicitly assume that any dishonest version of the prover still provides valid proofs. (In 
our language, tampered provers must "maintain functionality.") This assumption is necessary for the 
prover of zero- knowledge proofs, but in general wc can and should do better. 

3. They consider only synchronous protocols with two parties and one warden. We consider asynchronous 
multi-party protocols in which each party may have its own firewall. By separating the warden into 
multiple firewalls and moving away from the synchronous model, our definition becomes much stronger, 
as our firewalls do not have the benefit of seeing all messages from all parties sent during a round 
before deciding how to modify them. (Indeed, Blaze et al. provide an example of a simple divertible 
key-agreement protocol. However, this protocol is not secure in our model because it crucially relies 
on the synchronous model of communication for its security.) We also find our more modular model to 
be more natural in our modern context, in which different parties may have different security needs. 

Divertible protocols also differ from protocols with reverse firewalls in a number of more subtle ways. For 
example. Blaze et al. require that the warden is undetectable to either party. The protocols presented 
in the sequel achieve this notion of "transparency", but we intentionally do not require it as part of our 
definition. 

In short, divertible protocols and subliminal-free channels were founded on a story that predates the 
concerns that motivate our work. Our more modern story, in which Alice and Bob (who need not be 
prisoners!) are concerned that their computers have been corrupted, leads naturally to our more general 
definition. 

Kleptography. Young and Yung identified an important subclass of insider threats against cryptographic 

schemes, which they called kleptographic attacks [YY96]. The goal of a kleptographic attack is to leak a 
secret to an adversary who planted a malicious implementation of a cryptographic system on a victim's 
computer. The attack is asymmetric — the compromised implementation may carry the attacker's public 
key, but a private key is necessary in order to read from the subliminal channel. A secure kleptographic 
attack is undetectable as long as the system is accessed as a black box, and while it may be identified if 
one reverse engineers the implementation, this will only expose the attacker's public key. In particular, if 
multiple systems run the same compromised software stack, a successful reverse engineering effort of one 
such system will not help in breaching the security of others. 

The (now withdrawn) NIST-standardized Dual Elliptic Curve Determnistic Random Bit Generator 
(Dual_EC_DRBG) is an example of a mechanism with a potential kleptographic backdoor [BV07, SF07]. 

Our adversarial model is a relaxation of the kleptographic attacker. We consider the possibility that 
the adversary may not worry about detection and is not concerned about a split-key solution. 

Rerandomizable garbled circuits. Gentry, Halcvi, and Vaikuntanathan construct a rcrandomizable 
version of Yao's garbled circuit in order to build an "i-hop" homomorphic encryption scheme [GHVIO]. 
Their construction is quite elegant, and its security is based on a slightly weaker assumption than ours 
(pure decisional DifEe-Hellman, as opposed to the shght variants presented in Appendix B). But, it does 
not work in our context. Informally, their circuit is rerandomizable when constructed honestly, but the 
rerandomization of a dishonestly constructed circuit can easily be distinguished from a freshly garbled 
circuit. (With negligible prboability, even the honest implementation can create circuits that in some 
sense "cannot be rerandomized.") In our context, in which we consider the possibility that the garbled 
circuit was constructed by a corrupted algorithm, this is a fatal flaw. We thus construct a new garbling 
scheme that can be rerandomized in a much stronger sense. 

Our scheme (presented in Section 4) is also substantially more efficient than that of Gentry et al. The 
size of a single gate in their circuit is O(A^) group elements, where A is the security parameter, whereas our 
gates require only a constant number of group elements. As a consequence, our rerandomizable garbling 
scheme (which uses a trick inspired by Prabhakaran and Rosulek [PR07j) also implies a significantly more 
efficient implementation of i-hop homomorphic encryption. 

Combiners. An alternative defense against untrusted implementations of a cryptographic primitive is 
to combine multiple implementations of the same primitive in some way so that the combined primitive 
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will be secure if a suitably large subset of the initial primitives are secure. This idea is quite common in 
the literature, and it was formalized by Harnik et al., who show that many primitives have elegant robust 
combiners [HKN+05]. 

Combiners solve a slightly different problem than reverse firewalls. Firewalls guarantee security when 
a user's system has been arbitrarily compromised, while combiners provide security only when the user 
already has access to at least one secure implementation of a primitive (and a secure implementation of 
the combiner itself!). Intuitively, combiners are applicable when multiple implementations of the same 
primitive exist that either (1) may have bugs in them or (2) rely on different unproven assumptions. In 
contrast, reverse firewalls work even when our implementations have been intentionally compromised. 

2 Cryptographic reverse firewalls 

We now present our general definition of a cryptographic reverse firewall that can be applied to a large 
class of primitives. This requires us first to define a cryptographic protocol in a (very general) way that 
suits our purposes. We note, however, that we describe the concrete schemes presented in the sequel in 
simpler terms. So, this level of generality is not necessary to understand the rest of the paper. 

2.1 Cryptographic protocols 

Definition 1 (Cryptographic protocol). A cryptographic protocol V defines an interaction between 
stateful parties (Pi, . . . ,Pe). First, a setup procedure setup(l^) is run, where A is the security parameter. 
It returns a starting state for each party (cp-)^^^, which we call their respective input; public parameters p; 
and a schedule of messages.^ The parties proceed to send messages to each other according to the schedule. 
Each party has an associated next message algorithm nextp. (ap.) that is called when it must output a 
message and a message receipt algorithm receivep. (crp.,m) that is called upon receipt of a message to 
update the party's state. After the protocol is finished, each party runs its output algorithm outputp. (crp.) 
and returns the result. 

We identify the protocol with its parties and setup procedure, V = (setup, (Pi)^^^), and we identify the 
parties with the algorithms that define them. Pi = (receivep., nextp., outputp.). A complete record of all 
messages sent during a run of the protocol is a transcript T. 

We call a run of a protocol a run with input / if the parties' respective input and the public parameters 
are set to the values represented by I. We assume implicitly that the input I satisfies certain validity 
requirements. 

A protocol must satisfy functionality requirements J^, which place constraints on the output of the 
parties for particular input I, and security requirements S, which place constraints on the message dis- 
tribution conditioned on specific input I. For our purposes, it will often be convenient to assign to each 
security requirement S a specific party who "is concerned with S." For a party P, we say that a protocol is 
secure for P if all of P 's security requirements are met. 

For example, a one-out-of-two oblivious transfer (OT) protocol is a protocol between a sender, Alice, 
and a receiver. Bob. Alice's input is a pair of messages mo, mi, and Bob's input is a bit b. The protocol is 
functional if Bob's output is rrif,. It is secure for Bob if for any valid messages mo, mi, no efficient algorithm 
playing the role of Alice can predict b with non-negligible advantage after the protocol is complete. (I.e., 
Alice is oblivious to Bob's bit b.) Intuitively, the protocol is secure for Alice if no efficient algorithm playing 
the role of Bob can "learn any information" other than mo or mi (but not both!). (See Appendix A.l for 
a more formal definition.) 

Below, we list some terminology and notation that will be useful in the next section. 

^ Note that we only consider protocols in which the message schedule is fixed by setup. Formally, this schedule determines 
the number of messages that a party must receive from each other party before sending each message. (E.g., Alice will 
send her second message after she has received three messages from Bob, two from Carol, and one from David.) We omit 
explicit reference to this schedule in the sequel as it will always be clear. 
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Definition 2 (Protocols and psirties). For a protocol V = (setup, (-Pi)f=i) satisfying functionality T , 
input I, party P, index j, and index set J C {!,...,£}, 

1. T V{I) denotes setting the variable T to the transcript obtained by a run ofV with input I; 

2. Vp.^p is the protocol obtained by replacing party Pj with P in the protocol V; 

3. Vj^p is the protocol obtained by replacing all of the parties {Pjjjgj with a single implementation of 
P inV (i.e., the parties {Pjjjgj "collapse" into a single party P that has a single state crp); 

4- if any party sends the special symbol J- as a message at any time, then the protocol immediately ends 

and, by definition, functionality has been violated; and 
5. P maintains for Pj in V ifVp^p satisfies T with all but negligible probability over the random coins 

of the parties and setup procedure of P for any fixed input. 

When T , Pj, and V are clear, we simply say that P maintains functionality. 
2.2 Cryptographic reverse firewalls 

Definition 3 (Cryptographic reverse firewall). A cryptographic reverse firewall (RF) is a stateful 
algorithm W that takes as input its state and a message and outputs an updated state and message. For 
simplicity, we do not write the state o/W explicitly. 

For a party P = (receive, next, output) and reverse firewall W, the composed party is defined as 

W o P := (receive>vop(c, m) = receivep((7, W(m)), 
next>vop(o') = W{nextp{a)), 

OUtpUtyyop(o") = 0UtpUtp((7)) . 

When the composed party engages in a protocol, the state ofW is initialized to the public parameters p. If 
W is meant to be composed with a party P, we call it a reverse firewall for P. 

Intuitively, an RF simply modifies Alice's incoming and outgoing messages. Alice of course does not 
want a reverse firewall to ruin her protocol's functionality when her internal implementation is correct. 
Indeed, we want something more than this. Alice's employer may wish to deploy multiple reverse firewalls 
(one internal firewall, one provided by a security contractor, etc.), and we do not want such "stacking" of 
firewalls to break functionality. The definition below captures this. 

Definition 4 (Functionality-maintaining RFs). For any reverse firewall W and any party P, let 
W^oP = WoP, and for k>2,letW^oP = Wo {W^-^ o P). 

For a protocol V that satisfies some functionality requirements T , we say that a reverse firewall W 
maintains T for Pj in V ifW^ o Pj maintains J- for Pj in V for any polynomially bounded k > 1. When 
T , Pj, and V are clear, we simply say that W maintains functionality. 

We emphasize that we are interested in reverse firewalls that maintain the functionality of an already 
functional protocol — protocols that do not function without the firewall are not nearly as interesting. We 
also note that the reverse firewalls described in the sequel actually achieve much stronger properties. In 
particular, they are all "transparent", so that the behavior of W o P is identical to the behavior of P if P 
is the honest implementation. And, W o P is functionality maintaining whenever P is (and not just when 
P is an honest implementation). While these properties seem desirable for many applications, we do not 
wish to exclude from our definitions firewalls that, for example, append a signature to each message that 
they send. 

More interestingly, we would like a reverse firewall to protect Alice from an adversary that may have 
tampered with her computer. To that end, wc ask that the firewall preserves the security properties of the 
underlying protocol. So, we are only interested in protocols that are already secure without the firewall 
present. Since this definition depends on the security properties of the underlying protocol, it provides a 
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general framework for the study of arbitrary cryptographic primitives in this model. Our strongest notion 

of security imagines a completely adversarial algorithm replacing Alice's implementation of the protocol 
and requires that security is still preserved even in this setting. Our weaker notion only considers tampered 
implementations that maintain functionality. 

Definition 5 (Security- preserving RFs). For a protocol V = (setup, (nextp., receivep., outputp.)f^]^) 
that satisfies some security requirements S and functionality T and a reverse firewall W, 

1. W strongly preserves S for Pj in V if the protocol Vp-^yvoP^ satisfies S for any probabilistic polynomial- 
time P^; and 

2. W weakly preserves S for Pj in V against J^-maintaining adversaries if the protocol Vp-^w^oP^ satisfies 
S for any probabilistic polynomial-time P^ that maintains functionality T . 

When S, Pj, V and T are clear, we simply say that W strongly preserves security or weakly preserves 
security respectively. 

One type of attack that particularly concerns us is exfilitration, in which Alice's corrupted computer 
attempts to leak some private information (e.g., secret business plans) to an adversary who has control 
over some (possibly empty) list of other parties J. We call security against such an attack exfiltration 
resistance, and we define it in terms of the game LEAK(P, Pj, J, A), presented in Figure 1. Intuitively, 
the game LEAK asks the adversary to distinguish between a tampered implementation of party Pj and 
an honest implementation. An exfiltration-resistant reverse firewall therefore prevents an adversary from 
even learning whether Alice's computer has been compromised — let alone her secret business plans. 



proc. LEAK(P,P^ , J, W, A) 

ht{Q,l} 

IF 6 = 1, P* ^ W o 
ELSE, P* •(- W o P,- 
T* <— Vp-^p* ,j^Pj^, (/) 
6*^.A(a^,r*,ap.) 
OUTPUT (h = h*) 



Fig. 1: LEAK(P, Pj, J, A), the exfiltration resistance security game for a reverse firewall W for party Pj in protocol V with 
corrupted parties J and security parameter A. (Formally, the adversary represents a party by a collection of three (possibly 
randomized) circuits that implement the relevant functions receive, next, and output.) 



Definition 6 (Exfiltration-resistant RFs). For a protocol V satisfying functionality T and a reverse 
firewall W, 

1. W is (7^, Pj, J)-strongly exfiltration-resistant if no PPT adversary A achieves advantage that is non- 
negligible in the security parameter A in the game LEAK('P, Pj, J, W, A); and 

2. W is (V, Pj, J) -weakly exfiltration-resistant against J^-maintaining adversaries if no PPT adversary A 
achieves advantage that is non-negligible in the security parameter A in the game LEAK(P, Pj, J, W, A) 
provided that the adversary 's output P^ maintains T for Pj . 

When Pj, V , and T are clear, we simply say that W is strongly exfiltration-resistant against J or 
weakly exfiltration-resistant against J respectively. In the special case when J is empty, we say that W is 
exfiltration-resistant against eavesdroppers. 

This brings us to our strongest security notion. 
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Definition 7 (Robust RFs). A cryptographic reverse firewall W is robust for a party Pj in V with 

functionality requirements T and security requirements S if it is -maintaining, strongly S-preserving, 
and strongly exfiltration-resistant against the collection of all parties other than Pj in V. We often simply 
say that W is robust when Pj, V , T , and S are clear. 

2.3 Discussion of the definitions 

The relationship between exfiltration-resistant and security-preserving firewalls. For many 
natural notions of security, exfiltration resistance and security preservation are equivalent. For example, 

a reverse firewall preserves the semantic security of an encryption scheme if and only if it is exfiltration- 
resistant against an eavesdropper. However, for notions of security that do not promise privacy, a security- 
preserving firewall is not necessarily exfiltration-resistant. For example, a reverse firewall may preserve the 
binding property of a commitment scheme, but it may still allow information to leak out of a compromised 
machine. Even when a security requirement does imply some type of privacy, a firewall that preserves it 
may not be exfiltration-resistant. For example, the hiding property of a commitment scheme guarantees 
privacy during the commitment phase, but it certainly does not prevent information from leaking during 
the opening phase. In fact, it is relatively easy to construct reverse firewalls that strongly preserve the 
hiding property of commitment schemes (just use a rcrandomizablc commitment scheme), but it is provably 
impossible to construct a strongly exfiltration-resistant reverse firewall for the sender against the receiver 
in any commitment scheme! (Intuitively, the functionality of a commitment scheme allows the sender to 
communicate a message to the receiver. So, a reverse firewall cannot hope to simultaneously maintain 
functionality and prevent the sender from leaking information to the receiver.) 

On the other hand, it may seem at first that an exfiltration-resistant reverse firewall always preserves 
security, since interaction with such an RF composed with an adversarially chosen circuit is, by defi- 
nition, indistinguishable from interaction with an honest implementation. (Technically, we ask that the 
RF composed with an adversarially chosen circuit is indistinguishable from the RF composed with an 
honest implementation.) However, this is not always the case. For example, if security requirements are 
simulation-based or consider adversaries who have access to oracles or are computationally unbounded, 
then an exfiltration-resistant firewall may not preserve security. 

Functionality- maintaining adversaries. Intuitively, our weaker security notions exclude the "more 

conspicuous" adversaries whose tampered circuit would be noticed by honest parties participating in the 
protocol with non-negligible probability. However, even our weakest adversaries may behave arbitrarily 
some negligible fraction of the time against honest parties. This distinction can be quite important in the 
context of security definitions that allow for the corruption of other players in the protocol. For example, 
consider an oblivious transfer protocol in which Bob's first message is uniformly random over some large 
set (as is the case in Section 3). A tampered implementation of Alice in this protocol may respond to 
one specific such message by, say, encoding the XOR of both of Alice's inputs into its response to Bob. 
Such an implementation can still be functionality-maintaining because this event rarely happens when 
Bob behaves honestly. But, the security definition of oblivious transfer requires that an adversary playing 
the role of Bob should not be able to learn the XOR of the inputs. 

So, any reverse firewall that even weakly preserves Alice's security in such a model must somehow 
address this issue. In Section 3, we address this issue by composing a firewall for Alice that only works 
against tampered implementations that always maintain functionality with a firewall that is exfiltration- 
resistant for Boh against Alice. We expect this approach to be useful in future work. 

Timing and scheduling issues. Our model does not explicitly account for the timing of messages. 
In practice, message timing is a natural channel, and a tampered implementation could of course use 
this to leak information and compromise Alice's security. So, any reverse firewall in the real world must 
account for this (e.g., by fixing the time between when it receives a message and when it forwards Alice's 
response). As the above discussion shows, in some cases, it might be necessary for the firewall to control 
the timing of both outgoing and incoming messages. In a protocol with more than two parties, this issue 
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naturally becomes more complicated. In such cases, protocol designers should consider the relative timing 
of messages from multiple parties' perspectives should and the order in which Alice receives messages from 
various parties. 



3 Oblivious transfer 

Naor and Pinkas and Aiello, Ishai, and Reingold independently developed very similar OT protocols whose 
security reduces immediately to DDH [NPOl, AIROl]. We present a version of this protocol that is suitable 
for our setting. In particular, Alice's input is a pair of elements (mo, mi) in some group G of order p 
in which DDH is hard, and Bob's input is a bit h. AHce and Bob then engage in the protocol shown in 
Figure 2. 



Alice Bob 
INPUT: (mo, mi) INPUT: b 

(g,c)t{G\{lG}Y 
y -^Ip 



<- 



IF g = lG, OUTPUT _L 

(ro, so,ri, si) ^ Z* 



{g,c,d = g\h = c^g'') 



OUTPUT eb/ul 



Fig. 2: A version of Naor-Pinkas/Aiello-Ishai-Reingold protocol for oblivious transfer. 



Proposition 1. The protocol shown in Figure 2 is correct and secure for both parties if DDH is hard in 
G. 

Proof. Correctness follows from the fact that = g^bxy+si,y _ (Ji I g'^yb _ Bob's security follows imme- 
diately from the DDH assumption in G. 

To prove security for Alice, we note that if {g,c,d,h) ^ {9,9^,9^,9^^'^^) for some x, y G Zp, then 
{ub, Cb) is uniformly random. Indeed, note that 

/ / logo h — b \\ 
logp eb = Sb{logg h-b) + rby = y- ylogg + s^y — xjj . 

It follows that Ub and are distributed uniformly and independently unless log^ h — b = xy. This allows 
us to construct, for any (not necessarily efficient) adversary B playing the role of Bob, an (inefficient) 
simulator Sb with access to the ideal functionality that behaves as follows on input b. 

1. {a,9,c,d,h)^B{). 

2. (mo, mi) ^ G^. 

3. If {g, c, d, h) = {g, g-,gy, g^y+^) for b G {0, 1}, set rub ^ J^(6). 

$ 

4. (ro,ri. So, si) ^ Zp. 

5. («i,ei)-=o ^ {9'''c'\d''^{h/g'y^mi)\^Q. 

6. Output H((T, 1X0) Co, «!, ei). 
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It should be clear that the simulator's "message" (uj, ei)J^Q is distributed identically to the message that 
B receives from Alice in the real protocol, and the result follows. □ 

We present reverse firewalls for both parties in our variant of the Naor-Pinkas/ Aiello-Ishai-Reingold 
protocol and show that they are secure. Bob's reverse firewall is shown in Figure 3, and Alice's is shown in 
Figure 4. Alice's firewall by itself strongly prevents leaks against eavesdroppers. In order for it to weakly 
maintain security, it must be composed with Bob's firewall. 



A-licG 


3-J\JU O ' 1 1 W CI 1 1 


Bob 




<- 


{g, c, d, h) 














{g',c',d',h') 

< 

(wo, Co, wi, ei) 


IF 5 = 1g,p' Ag\{1g} 
c' ^ c" d' ^ d°'g'y' 
h' ^ h°'c°'y'd°"''g"''y' 

-t> 








(Mo,eo,Mi,ei) 
1> 



Fig. 3: Bob's reverse firewall for the protocol shown in Figure 2. 



Alice 




Alice's Firewall 


Bob 








{g, c, d, h) 






IF g = lG, OUTPUT _L 






d, h) 






< 


wi, ei) 






(wo,eo 


























K,eal=o ^ {uig<c''*,eid<{h/gr'^)U 


> 



Fig. 4: Alice's reverse firewall for the protocol shown in Figure 2. It is strongly exfiltration-resistant, and it weakly preserves 
security when it is composed with the firewall shown in Figure 3 

In Appendix C, we prove the following theorem. 

Theorem 2. Bob's reverse firewall Wb shown in Figure 3 maintains correctness and is robust if the 

chosen-base DDH with a hint game is hard in G. 

Alice's reverse firewall Wa shown in Figure 4 maintains correctness and is strongly exfiltration-resistant 
against an eavesdropper if DDH is hard in G. The composed firewall Wbo^V a o-lso weakly preserves security 
against Bob. 
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4 Private function evaluation 



We now construct a private function evaluation scheme based on the obhvious transfer protocol from 
Section 3 and a version of Yao's garbled circuit. We assume that the reader is familiar with garbled circuits 
and this type of construction (see, for example, [BHR12]). Our key technical tool is a rerandomizable 
garbled circuit based on ElGamal encryption [E1G85], which may be of independent interest. 

4.1 A rerandomizable garbled circuit 

We wish to use the homomorphic properties and rerandomizability of ElGamal encryption to make a 
rerandomizable garbled circuit. But, a subtlety immediately arises: Yao's garbled circuit construction 
makes heavy use of encryptions of private keys (which can be used to decrypt more encryptions of private 
keys, etc.). However, in ElGamal encryption, private keys are elements in Zp but messages are elements of 
a group G of order p in which DDH is hard. Our construction requires an efficient injective homomorphism 
from the key space to the message space. But, since DDH is easy in Zp, such a map cannot exist. 

To get around this issue, we use a technique inspired by Prabhakaran and Rosulek [PR07]. In particular, 
for circuits of depth D, we need groups G\, . . . ,Gd of prime order \Gd\ = Pd such that Gd is a subgroup 
of Z*^^^ and Pd+i/Pd is polynomially bounded^ for d < D. In particular, this means that, given g G Gd 
and h G Gd+i, the operation is well-defined, and elements from G^, can therefore serve as private keys 
for ElGamal encryption over Gd+i- 

Formally we say that a vertex z is at depth d in a circuit layout C if the longest path from an input 
vertex to z has length d — 1, and we write depth (z) = d. For ease of presentation, we assume that all 
edges in the circuit layout C are between vertices of adjacent depths (i.e., edges do not "skip levels") and 
that all output vertices have maximal depth D. With this simplification, we can use the group to 
garble vertices at depth d. (Note that this restriction is not necessary, and the garbhng scheme generalizes 
naturally to handle arbitrary circuits.) 

Our garbling scheme for a circuit C is shown in Figure 5, and a schematic illustration of gate evaluation 
is provided in Figure 6. Alice can use the function Garble to garble a circuit C (represented by a collection 
of gate functions (/z)), yielding a collection of ciphertexts (A^) and input tags iTz''^)z^x,b&{o,i}- Given a 

collection of ciphertexts (A^) and input tags (ri^^^)zgx corresponding to some input x, Bob can use the 
function Eva I to compute C{x). 

In particular. Garble assigns two tags Tz^^ and Tz^^ to each vertex z, which represent the vertex taking 
the value 0 and 1 respectively. Ti^'' is a uniformly random group element for all vertices that are not output 
gates, while the tags of output gates are simply encodings g^jj of output bits. Intuitively, we want Bob to 
"only be able to learn" the tag corresponding to the value that each gate takes when C is evaluated on his 
input. 

The function Garble represents each non-input gate z by Az, a collection of ElGamal ciphertexts. The 
ciphertexts are encrypted under one of four private keys, each of which is the product of a tag from the 
gate's left parent T^^^^j and a tag from the gate's right parent T^^^J^ . The ciphertexts contain encryptions 

under the private key T^^j • T^^)^ of the tag T^^^^^'^'^^ corresponding to the gate's output on some input 
{bL,bR). The ciphertexts are arranged randomly in the collection so that their order does not reveal any 
information about the circuit. So that Bob can know which ciphertext he should decrypt at each gate, 
together with each encrypted tag we also include a second ciphertext that encrypts a location bit r (under 
the same key). Bob can then use the two location bits from a gate's left and right parent to know which 
ciphertext Ctj^^tr to decrypt at the current gate. 

^ In practice, such chains of primes can be found efficiently. Indeed, the sequence defined by starting at gi = 2 and setting 
(/i+i to be the minimal prime with gj+i = 1 mod qi is suitable. There are 497 primes in this sequence between 2^"^'' and 
26144 rpj^g ratios between successive primes in this specific chain are conjectured to remain polynomially bounded in the 
length of the primes, and other chains with this property are conjectured to be abundant. See, for example, [FKLIO]. 
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The output of Garble is a collection of tags and location bits (T^ ' ,Tz )zei,b&{o,i} for the input vertices 
together with the ciphertexts {Az)z^v\i- The function Eva I takes as input the ciphertexts {A^) and the 
tags and location bits corresponding to some input x, {Tz^''\tz^'^), and it outputs C{x). 



proc. Garble(C = (/z),fli) 
FOR d = 2,...,D, 

9d A Gd\{lGj 
FOR z in V, 

^{0,1} 

IF zeo, 

(Ti°\T«)^(lG„,5i5) 
ELSE, 

d -ir- depth(2;) 

FOR 2 in V\I, 

Az ^ GarbleGate(2;) 
FOR z in 1, 

OUTPUT {{T^''\ri'^),{Az),{gd)) 



proc. GarbleGate(z) 

d <— depth (z) 

FOR ibL,bR) in {0,lf , 

^ ^L(z) ^R(z) 
Tl =bL® 
TR = bR® 

V ^ {tl,tr) 
b -f- fz{bL,bR) 



K,e^)^(55,ft;,Tf') 
r -f- 6 ® 6* 

OUTPUT {hr„Ur„en,Vr„Wr,) 



proc. Eva\{{Tz,rz),iAz),{gd)d=i) 
FOR d=l,...,D, 

IF Qd = Igo , OUTPUT ± 
FOR « in V \ X, 

(Tz,Tz) ^ EvalGate(2:) 
FOR z in O, 

IF ^ {1gz,,5d}, output ± 
OUTPUT (log^^ T,),60 

proc. EvalGate(«) 

d depth(2:) 

PARSE {hn,Ur,,er,,Vr,,Wn) -i^ Az 

11 ^ {TL(z),rR(z)) 

IF hn^ga, OUTPUT ± 
(Tz,Sz) (e,,/M^,w^/w^) 
IF ^ {lG^,ffd}, OUTPUT ± 
OUTPUT (r^logg^B^) 



Fig. 5: Our garbled circuit scheme with input circuit C of depth D and a pubhcly known layout. (We assume for simplicity 
that all edges in the circuit are from vertices of depth d to vertices of depth d + 1 and that all output vertices have maximal 
depth.) 



A 



L(z) 



(T^^l) (bL) 

\-^L{z)'^L{z) 



iR(z) 




Co,o 


Ci,o 


Co,i 





fzibLM) 



rpibh) rpibn) 
^L(z) ■ ^R(z) 



Fig. 6: A schematic representation of the evaluation of a single gate. The bits bh, bR, and 6^ are not known to the evaluation 
algorithm. 



4.2 PFE from gEirbled circuits and OT 

With the garbling scheme from Figure 5 and the oblivious transfer scheme from Section 3, we can build 
a private function evaluation protocol, which we present in Figure 7. We note that the protocol can be 
optimized so that Bob sends his oblivious transfer messages in one batch. With this optimization, the 
protocol requires only two messages. (Bob sends {gi,c) and his oblivious transfer requests in a single 
message. Alice then sends her responses to the oblivious transfer requests and the garbled circuit, also in 
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a single message.) The proof of security as well as the reverse firewalls and their corresponding proofs of 
security can be naturally modified to accommodate this change. 



Alice Bob 



INPUT: C = {f^),^v\x INPUT: x 

Setup Phase 

ffi A Gi \ {1g J; c A Gi 

(Si,c) 

< 

IF gi = 1gi , OUTPUT _L 

((Ti'",ri'"), (A.), (flrf)) I Garble(C,fli) 



Input Phase (Oblivious Transfer) 

(For each z gX) 

J/ ^ Zp 

{d,h)^{gl,cyg^,') 

{d,h) 

< 

FOR b in {0, 1}, 

{q,r,s,t) -h- 

{u,,e,)^{gy,d\h/gtyT^'^J 
{vb,Wb)^{gtc\d%h/glYgf') 

(ub,eb,Vb,Wb)b=o 



Output Phase (Geirbled Circuit) 

1> 

OUTPUT Eval((T^, r^), {A^), {ga)) 



Fig. 7: A private function evaluation protocol using our oblivious transfer protocol from Section 3 and our garbled circuit 
scheme shown in Figure 5. (See Figure 5 for the functions Garble and Eval.) 



We prove the following proposition in Appendix E. 

Proposition 3. The private function evaluation protocol shown in Figure 7 is correct and secure for both 
Alice and Bob if DDH is hard in the (Gi). 

4.3 Reverse firewalls for PFE 

Bob's reverse firewall is very similar to his reverse firewall in Section 3. For completeness, we present 
it in Figure 11 in Appendix D. Alice's reverse firewall is shown in Figure 8. It makes use of a function 
Rerandcarbie that rerandomizes garbled circuits. This procedure is rather complicated because our garbled 
circuits necessarily have many moving parts: location bits r; the ordering of the ciphertexts, which is 
determined by the location bits; tags T; the keys, which are products of the tags; and the randomness used 
to encrypt the tags and location bits. Our task is to rerandomize all of this without breaking functionality. 
Below, we describe the intuition behind the rerandomization procedure. We provide the (rather complex) 
pseudocode in Figure 10 in Appendix D. 
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Ideally, in order to rerandomizc the tags in the garbled circuit, we would simply use the malleability 
of ElGamal to multiply each tag Tz^^ by a uniformly random mask TZ^\ But (as Gentry et al. observe 
in a similar context [GHVIO]), the firewall cannot know which tags are used to generate which keys — 
so maintaining consistency between tags and keys would not be possible with this approach. We can, 
however, multiply both tJ^^ and tJ^^ by a single uniformly random mask TZz (i-e., we can multiply all 
the corresponding ciphertexts by TZz)- Since we apply this operation to both tags, we can easily maintain 
consistency (after noting that an ElGamal encryption under a private key k can be easily converted into an 
encryption under k ■ k' without knowing k). But, we need a second degree of freedom per gate (otherwise, 
ri^V^i^^ would remain unchanged). 

We find our solution in the location bits. In particular, for each ciphertext {h, u, e, v, w) = {h, g'^, h^T, g^, h 
we use the homomorphic property of ElGamal encryption to multiply the tag T by 5'^^'^ for uniformly ran- 
dom 13 z- Since the location bit r encodes which ciphertexts will be encrypted under a key generated from 
T, we do not need to know which tags correspond to which keys to maintain consistency between the tags 
and keys — ^we just need to know that whichever tag had a corresponding location bit r = 1 was multiplied 
by g^"" . The complete mask is therefore TZzg^""^ for the appropriate value of r.^ 

We also need a way to rerandomize the location bits themselves. Recall that the location bits r are 
encrypted as (v, w) = {g^, h^g^). In order to rerandomize them, we note that {v~^ ,w~^g) = {g~^, h~^g^~'^) 
is an encryption of r 0 1. We can therefore flip the location bits without knowing their values. 

To maintain consistency with the rerandomization of the oblivious transfer rounds, Rerandcarble takes 
as input the masks that should be used to rerandomizc the input tags. In particular, the procedure takes 
as input a collection of garbled gates {-A^z) zev\i^ group elements {gd)d=i^ masks for the input vertices 
{T^z, /3zib*z)zei^ it outputs new ciphertexts {A'^) and new group elements {g'^)- The masks TZz and Pz 
are used to mask tags as described above, and the bit 6* determines whether the location bits Tz''^ should 
be flipped. (The masks for non-input vertices are selected uniformly at random by the rerandomization 
procedure.) 

In Appendix F, we prove the following theorem. 

Theorem 4. The reverse firewall for Bob shown in Figure 11 is robust if the DDH with a hint game is 
hard in Gi. 

The reverse firewall for Alice shown in Figure 8 maintains correctness, weakly preserves Alice's security, 
and is strongly exfiltration-resistant against an eavesdropper if non-uniform DDH is hard in the (Gd). 

5 A generic construction for strong exfiltration resistance against eavesdroppers 

We now show that any protocol can be converted into a protocol that has a reverse firewall for each party 
that is strongly exfiltration-resistant against eavesdroppers. The resulting protocol will have at most one 
additional (broadcast) message per party (or fewer than two additional messages per party in the non- 
broadcast model). For all of the primitives that we consider in this paper, the resulting protocol will also 
satisfy the same security requirements as the original protocol. We cannot say that the resulting protocol 
will always satisfy the same security requirements for arbitrary primitives because security requirements 
are quite a general notion. For example, a security requirement could specifically ask that a protocol does 
not have an exfiltration-resistant reverse firewall. 

In order to achieve this, the key idea is to use a public-key encryption scheme that is rerandomizable and 
has a rerandomizable key. I.e., a reverse firewall should be able to convert any public key into a uniformly 
random public key in such a way that it can also convert messages encrypted under the resulting key 

Of course, a tampered implcnicntation playing the role of Alice may not produce ciphertexts of the correct form 
(h, g'' Ji^T, cf g^) where r is a bit. But, our rerandomization algorithm will still multiply each key of the children 
of the node z by the mask TZzQ^"'^ for the appropriate value of r. This rerandomization of keys is what makes the scheme 
secure. 
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Alice Alice's Firewall Bob 



Setup Phase 

(ffi.c) 

< 



FOR z ±n I 

7^. AGi;/3. AZp,;b: A{0, 1} 



Input Phase (Oblivious Transfer) 

(For each z €X) 

{d,h) 

{d,h) ^ 
< 

> 

FOR b in {0, 1} 

u'b <- UbQl • V^' 

e'^ ^ etd'' {h/g\y' ■n^w'^' 

v'b ^ Vbgic^' 

w'b^Wbd^'ih/giy 

IF K = 1, ^_ 

v'b ^ vl S w'i ^ w'^ ^gi 

{u'b,e'b,'"'b,w'b)l^o 
1> 



Output Phase (Garbled Circuit) 

1> 

UK), {g'd)) ^ RerandGarble((A.), (ffd), {n,,PzX)) 



Fig. 8: Alice's firewall for the private function evaluation protocol shown in Figure 7. See Figure 10 in Appendix D for the 
formal definition of Rerandcarbie- 



(ffi.c) 
< 
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into messages encrypted under the original key. ElGamal encryption has this property (as we observe in 
Section 4), so we describe the scheme using ElGamal. 

In particular, we interpret all messages as elements in some group G of order p in which DDH is hard. 
Each party computes g ■(^ G \ {1g} and x Zp and sends the message (g, h = g^) to all other parties. 
All future messages m sent to a party are then replaced by ciphertexts encrypted under her public key 
(n = g'^,e = h^m). Each time any party receives an encrypted message {u,e), she decrypts it m = e/u^ 
and then proceeds with the protocol as normal. In addition, to prevent leakage due to early termination 
of the protocol, the parties never output _L until the end of the protocol; they instead send encryptions of 
a special message m± and wait until the end of the protocol to output ±. A party's reverse firewall simply 
rerandomizes her keys and ciphertexts. If the party ever sends a message that is not of the right form, the 
firewall simply sends two uniformly random group elements in place of an encryption. 



Alice Firewall for Alice Bob 

Key Exchange 



Ka = {gA, hA) 
> 



x' ^ Zp, a ^ Z* 

IF Ka i OR QA = 1g, 

g'AlG\{lG};h'AlG 
ELSE. 

PARSE {gA,hA) ^ Ka 

g'A^gl; h'A = hA-g"''' 



{g'A,h'A) 



{gB,hB) {gB,hB) 
< < 



Encryptions of messages in V 



(Mi,ei) = {g'X,hAmi) 
< 



u'l uY"; e'l ^ ei/wf 



('"'i,e'i) 
< 



M = {g%,h%m2) 

D> 



IF M^G^ {u'2,e'2)^G^ 
ELSE, 

PARSE (W2,e2) M 

r' AZp 

("2,62) (M25s, 62/13) 



("2,62) 

1> 



Fig. 9: A reverse firewall for Alice in a modified arbitrary two-party protocol P. Two messages are added to the protocol 
in which the parties exchange public keys. They then follow the specification of V, replacing messages rrii with ciphertexts 
{g^, h^rrii). Bob has a similar reverse firewall. 



We show such a firewall for Alice in the two-party case in Figure 9. Note that Bob can implement essen- 
tially the same firewall. The fact that this firewall is strongly exfiltration-resistant against eavesdroppers 
follows immediately from the assumption that DDH is hard in G. 
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We note that, in general, the construction in Figure 9 should not be expected to "compose well" with 
other reverse firewalls. I.e., if some protocol has a reverse firewall that preserves Alice's security but is not 
exfiltration-resistant, we cannot necessarily apply the above transformation and obtain a protocol with a 
reverse firewall that both preserves Alice's security and is exfiltration-resistant, as it will not be possible 
for an efficient firewall to compute arbitrary functions on the messages if they are encrypted. Even a very 
simple operation like equality testing (e.g., testing whether a message is some specific element) cannot be 
done efficiently if the message is encrypted under a semantically secure scheme. So, in general, one may 
need to choose between strongly exfiltration-resistant firewalls and firewalls that preserve security. 

6 Conclusion and directions for future work 

The revelations of Edward Snowden [PLS13, BBG13, Grel4] highhght a different kind of threat posed 
by sophisticated adversaries — ^the potential hijacking of a user's own software or hardware for subversive 
purposes. A compromised machine engaged in a cryptographic protocol may (perhaps selectively) fail to 
protect security or enable a covert communication channel through which the attacker can leak sensitive 
information or coordinate its activities. Standard solutions such as testing, auditing, or monitoring cannot 
in general ensure security since the attacker may use cryptographic methods to cover its tracks (aided by 
the complexity of modern protocols and the ubiquitous use of randomness in communications). 

To counter the threat of insider attacks, we propose the concept of a (cryptographic) reverse firewall, 
whose role is to backstop the security of some underlying cryptographic scheme. We discuss several desir- 
able properties of reverse firewalls (maintaining functionality, preserving security, and protecting against 
exfiltration attacks) and two types of tampering (arbitrary tampering and functionality-maintaining tam- 
pering). The generality of our definition provides a framework for studying insider attacks and counter- 
measures across a wide range of primitives. 

Our main technical contribution is a protocol for private function evaluation based on Yao's garbled 
circuits and oblivious transfer that admits a reverse firewall for both parties. The instantiation of this 
remarkably strong primitive in a way that remains secure even when the user's computer has been com- 
promised shows the power of reverse firewalls as a tool for protecting against insider attacks. In addition, 
our rerandomizable garbling scheme is more efficient and is secure against a stronger adversary than 
the scheme proposed by Gentry et al. [GHVIO] (though we rely on shghtly stronger number-theoretic 
assumptions) . 

We also show that any protocol can be easily converted into a protocol with an exfiltration-resistant 
reverse firewall for each party (and the same functionality). This provides a generic way to prevent a 
tampered machine from leaking information to an eavesdropper via any protocol. 

We conclude with a (non-exhaustive!) list of exciting directions for future work in the newly emphasized 
study of defense against insider attacks: 

1. The most obvious direction for future work is simply the instantiation of more primitives in this 
framework. While this work includes an instantiation of private function evaluation (which can be 
used to instantiate many more primitives), there is still much more to study. For example, can we 
achieve stronger notions of security for two party computation? (We prove a relatively restricted 
notion of security for private function evaluation.) How efficiently (and under what assumptions) can 
we instantiate simpler primitives in this model? What can we achieve in the multi-party case? What 
about other primitives that are not implied by PFE (such as authenticated key agreement)? 

2. We hope that future work on reverse firewalls develops a comprehensive collection of composable, effi- 
cient, modular protocols with secure reverse firewalls. The "holy grail" would be a full characterization 
of functionalities and security properties for which reverse firewalls exist. 

3. More generally, we hope to see a systematic study of defensive mechanisms against deliberate insider 
attacks. The legitimate targets of these attacks include software libraries, hardware platforms, com- 
munication channels, standards, protocols, sources of entropy, system parameters, and the choice of 
constants. 
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A Definitions of primitives 

A. l Oblivious transfer 

We provide a (relatively weak) security definition for oblivious transfer as in [NPOl]. 

Definition 8. A one-out-of-two oblivious transfer protocol is a two-party protocol with a sender, Alice, 
and a receiver. Boh. Alice's input is a pair of messages {mo, mi), and Bob's is a bit b. The protocol is 
correct if Bob's output is rrih. 

The ideal functionality of an oblivious transfer protocol is a protocol that Alice and Bob play with a 
trusted third party. Alice simply sends her input messages {mo, mi) to the trusted third party, and Bob 
provides a bit b (not necessarily his input). The third party then sends m^ to Bob. 

The protocol is secure for Alice if for every (not necessarily efficient) adversary playing the role of Bob 

B, there exists a (not necessarily efficient) simulator Sb with access to the ideal functionality such that 
for any input (mo, mi, 6), the distribution of the output of Sq has negligible statistical distance from the 
output produced by B playing the role of Bob in the real protocol. 

The protocol is secure for Bob if no probabilistic polynomial-time adversary playing the role of Alice 
can distinguish between the transcript generated when Bob's input is 0 and the transcript generated when 
his input is 1. 

A. 2 Private function evaluation 

(See [BHR12] for a more formal definition of circuits and circuit layouts.) 

Definition 9 (Circuits and circuit layouts). A circuit layout is a directed acyclic graph such that 
all vertices except for input vertices have in- degree 2 and all vertices except for output vertices have 
positive out degree. Input vertices have in-degree 0 and cannot be output vertices. Here, non-input vertices 
represent gates (and we often refer to them as such) and edges represent wires. We require that the vertices 
are numbered topologically (i.e. edges go only from lower-numbered vertices to higher-numbered vertices), 
and input vertices come first such that the ith bit of input corresponds to vertex i. We write V for the set 
of all vertices, X for the set of input vertices, and O for the set of output vertices. For each gate z, we 
define L{z) and R{z) as the two vertices preceding z. 

A circuit C is a circuit layout together with a collection of functions fz : {0, 1}^ — t- {0, 1}, one for each 
non-input gate z. We view the individual functions as instantiations of the gates and the input {br,,bji) as 
the bits from the left and right wire respectively. 
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Given an input x and a circuit C, we define a hit bz for each vertex z as follows. For each input 

vertex z, we simply set bz ^ Xz- For each gate z (from the lowest-numbered gate to the highest), we set 
bz ^ fibL{z)^ Lr(z))- ^6 say that gate z takes the value hz- Finally, we define C{x) as the values taken by 
the output gates in order, {bz)zeO- 

Definition 10 (Private function evaluation). A private function evaluation protocol is a two-party 
protocol between Alice and Bob. A circuit layout C is a public parameter. Alice's input is a circuit C with 
layout C. Bob's input is a bit string x with \x\ = 

The ideal functionality of a private function evaluation protocol is played with a trusted third party. 
Alice provides the circuit C to the third party, and Bob provides his input x. The third party then sends 
C{x) to Bob, and Bob outputs the result. 

A protocol is correct if Bob 's output in the real protocol is identical to his output in the ideal protocol. 

The protocol is secure for Alice if there exists a probabilistic polynomial-time simulator S with access 
to the ideal functionality and the input x (but not the circuit!) such that for any adversarially chosen input 
{C,x), the output of S is computationally indistinguishable from the view of Bob during an execution of 
the protocol. 

The protocol is secure for Bob if no probabilistic polynomial-time adversary playing the role of Alice 
can provide two inputs (xo,xi) and then distinguish between the view of Alice when Bob's input is xq and 
the view of Alice when his input is xi . 

B Groups and hardness assumptions 

Definition 11 (Family of groups). We say that G = (Gi)'^-^ is an efficiently computable family of 
groups if there is some probabilistic polynomial-time algorithm setup such that setup(l'*') outputs a repre- 
sentation of a group Gi with all group elements represented by poly(A) bits, a polynomial- size circuit that 
outputs a uniformly random group element on random input, the order of the group, and a polynomial- size 
circuit that computes the group operation over Gi . 

Throughout this paper, whenever we refer to a group G with certain properties, we implicitly define 

a family of groups G with these properties and assume that G ^ setup(l ), where A is the security 
parameter. We assume that all algorithms have access to the group description. We write Iq to denote 
the identity element in G. When we speak of negligible probabilities, polynomial-time algorithms, etc., 
we mean probabilities that are negligible in the security parameter A, algorithms whose running time is 
polynomial in the security parameter, etc. We sometimes need to work with more than one group at a 
time, so we extend these notions in the natural way to a collection of groups. 

Definition 12 (Decisional Diffie-Hellman). Let G be a group of order p. Then, we say that decisional 
Diffie-Hellman (DDH) is hard in G if no probabilistic polynomial-time algorithm A can distinguish between 

{9,9'', 9^,9''^), where g ^ G, {x,y) A Z^, and (91,92,93,94) ^ G^- 

We will need a slight variant of the DDH assumption, which we call DDH with a hint. 

Definition 13 (DDH with a hint). We say that DDH with a hint is hard in G if no probabilistic 
polynomial-time adversary A has non-negligible advantage in the following game. 

1. [a, g, c, d) ^ Ail^), with (g, c, d) gG^. 

2. Sample b A {0, 1} and (x, y) A Z^. 

$ 

3. If b = 1, set z ^ xy. Otherwise, set z 

4. h* tA{a,{g\gy,g',(f,dy)). 

5. A wins if and only if b = b* . 
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It will also be convenient to define two hardness assumptions that are implied by DDH. 

Definition 14 (Subgroup DDH). Let G be a group of order p and G be a subgroup ofZp. We say that 
G-subgroup DDH is hard in G if no probabilistic polynomial-time algorithm A can distinguish between 
{g,g'^,g^,g''^), where g-^G, {x,y) G'^, and (91,^2,53,54) G^. 

Lemma 1. Let G be a group of order p and G be a subgroup of 7j*. If DDH is hard in G and is 
polynomially bounded, then G-subgroup DDH is hard in G. 

$ 

Proof. Fix some probabilistic polynomial-time adversary A in the DDH game, and let g ■(^ G. Consider 
the cosets of G in Z*. In particular, we can associate to each pair of cosets (Cj, Cj) an advantage 

Pc„c, := Pr [Aig, g\g\ g^^) = 1] - ^Pr [A{g, g\ g\ /) = 1] . 

(a;,j/)-(-Cf xCj (a;,2/,2:)<-CiXCjXZ* 

Suppose that A has non-negligible advantage in the G-subgroup DDH game. Then, there is some 
constant k such that Pqq > \~^. Let / = IGI/IG"! be the index of G over G, and recall that / is 
polynomially bounded. By the pigeonhole principle, there must be some interval between 0 and A~'^ of 
length l/(2A''/2) such that none of the values Pci,c^ is in this interval. So, by the Chernoff bound, for 
each {Ci,Cj), we can run A, say, 100X^^1^ times to classify Pci,Cj as either greater than the midpoint of 
this interval or less than it, failing with only negligible probability. Indeed, given {g,g^) for unknown x 
in coset C{x) and any coset Cj, we can classify Pc{x),Cj running A a total of 100X^^1^ times on input 

of the form (5, 5"^, (7^, (7"^^) and input of the form {g, g"^^ , g^ , g^) for z ^ Zp, a G, and y ^ Cj and 
comparing the results. Similarly, given {g^g^), we can classify Pci,c{y)- 

Finally, we claim that given {g,g^,g^), we can classify Pc{x),C{y)- We do this by first classifying all of 
the Pci,Cj- We then divide the Cj into left equivalence classes such that for two elements Ci and C^ in the 
same equivalence class, Pci,Cj has the same classification as Pcf„Cj for a-H Cj. We similarly divide the Cj 
into right equivalence classes. Finally, using the idea outlined above, we can identify the left equivalence 
class of C(:r) and the right equivalence class of C{y). We can then categorize Pc{x),c{y) by finding the 
unique category that "matches" these equivalence classes. 

So, an adversary A' in the DDH game can, on input {g, g^ ,gy ,g^), first categorize Pc(x),C{y)- If Pc{x),C{y) 
is greater than the midpoint of the interval, it outputs A{g, g^,g^, g^)- Otherwise, it flips a coin and outputs 
the result. Since Pq q > it follows that with probability at least jGI/jGI = l/poly(A), we have that 
Pc{x),C{y) is larger than the midpoint. The result follows. □ 

Definition 15 (A;-DDH and subgroup fc-DDH). Let G be a group of order p. For k >2, we say that k- 

DDH is hard in G if no probabilistic polynomial-time algorithm A can distinguish between {g, (5^')f=i, {g^*^^)i<i<j<k) 

and {g*)i=i with l = k{k + l)/2 + I, where g^G, {xi) t Z^, and {g*) ^ G^. 

Let G be a group of order p, G be a subgroup ofZ*, and k > 2. We say that G-subgroup fe-DDH is hard 
in G if no probabilistic polynomial-time algorithm A can distinguish between (5, (5^*)^=!' (5'^'^'' )i<i<j<ik) 
and {g*)i=i, where g G, (xi) -t- G*^, and {g^) -t- G^. 

Lemma 2. Let G be a group of order p. If DDH is hard in G, then k-DDH is hard in G for any polynomially 

bounded k. 

Let G be a subgroup ofZ*. If DDH is hard in G and \G\/\G\ is polynomially bounded, then G-subgroup 
k-DDH is hard in G for any polynomially bounded k. 

Proof. For i = 0, . . . , (fc^ — k)/2, let Game i be the game of distinguishing between a uniformly random 

tuple {gl,...,g^) ^ G^ and a tuple of the form {g, {g^'-)i=i, ig^^^^)i<i<j<k) with the last i elements 
changed to a uniformly random element. It follows from the assumption that DDH is hard in G that no 
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adversary can have non-negligibly larger advantage in Game i than in Game i + 1. The result follows 
by noting that Game 0 is the A;-DDH game and that no adversary can have any advantage in Game 
- k)/2. □ 

We will also require a non-uniform version of DDH. 

Definition 16 (Non- uniform decisional DifRe-Hellman). Let G be a group of order p. We say that 
non-uniform decisional Diffie-Hellman is hard in G if no probabilistic polynomial-time algorithm A with 

auxiliary information aux = aux(G) can distinguish between {g,g^,g^,g^^), where g G, {x,y) ^ Z^, 
and {gi, g2, 93, 94) G^. Note that aux does not need to be efficiently computable. 

Wc similarly extend the definitions of G-subgroup DDH, fe-DDH, and G-subgroup A;-DDH to the non- 
uniform setting. Finally, one more definition will be useful. 

Definition 17 (Chosen-bases G-subgroup /c-DDH). Let G be a group of order p, G be a subgroup of 
Z*, and k > 2. We say that chosen-bases G-subgroup /c-DDH is hard in G if no probabilistic polynomial- 
time algorithm A has non-negligible advantage in the following game. 

1- (o-, {9i)i=i, {hi,j)i<i<j<k) ^ -4(1-^), with gi, hij G G \ {1g}- 

2. Sample b ^ {0, 1}, (xi)f^i ^ Z^, and {g*)Ui ^ G^, where £ = (k"^ + k)/2. 

3. Ifb = 0, b* I Aia, (^Dii, ih-p)i<j). Otherwise, b* I Aia, (g*)). 

4. A wins if and only if b = b* . 

Lemma 3. Let G be a group of order p, and let G be a subgroup of Z*. // non-uniform DDH is hard 
in G and \G\/\G\ is polynomially bounded, then chosen-bases G-subgroup k-DDH is hard in G for any 

polynonually bounded k. 

Proof. We first note that the natural non-uniform analogue of Lemma 2 holds by an essentially identical 
proof. In particular, it suffices to show that chosen-bases G-subgroup fc-DDH is hard in G if non-uniform 
G-subgroup k-DDH is hard in G. 

Let A be an adversary in the chosen-bases G-subgroup A;-DDH game in G. Note that A may not be 

deterministic, but we can fix the output of A, {a, (ffOiLi' (^ij)i<i<i<fe) ^ -^(1'*')) such that the advantage 
of A with this fixed output is maximal. Let aux = (a, (log^^ (gj))^!^]^, (log^^ (/iij))i<j<j</fc). 

We then build A' , an adversary in the non-uniform G-subgroup A;-DDH in G as follows. A' receives 
auxihary input (o", (log^^ (5i))*L^, (log^^ (/iij))i<i<j<fc) and challenge {{g*)i=i, {h*j)). For each it sets 

9'i ^ 9T^'' and h[^^ ^ ^^^^.^^•^\ then returns Aia, {g[), (h',^^)). ^ 

It should be clear that the view of A is identical to its view in the G-subgroup fc-DDH game in G. □ 



C Proof of Theorem 2 (security of the OT firewalls) 



Proof of Theorem 2. It should be clear that both firewalls maintain functionality. 

Let A be some tampered implementation of Alice, {g, c, d, h) Bob's initial (possibly adversarial) message 
to Alice, {ui,ei) the response of A, and (n^, e^) the same response after it passes through Alice's firewall 
Wa- Suppose Bob's message satisfies {g, c, d, h) = {g, 9^,9^, g^y~^^). Then, it should be clear that, if (u^, ei,) 
is a valid response, then (u^, e'^) is a uniformly random valid response. Note that Bob's firewall Wb replaces 
{g, g^,g'^ , g^y~^^) with a uniformly random message of the same form, (5°, g°'(^+^') ^ g'^iv+v') ^ g<^{{^+x'){y-by')-bb)-^ 
It follows that if Alice maintains correctness, the response of Wb o (Wa ° A) to any valid message 
{g, g^, g^, g^y^^J from Bob is a uniformly random valid response (tt^, e^) except with negligible probability. 
And, an argument similar to the proof of Proposition 1 shows that if Bob's if {g, c, d, h) ^ {g, g^, g^, g^^'^^), 
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then {u'^^e'^) are uniformly random group elements. This immediately shows that the composed RF 
maintains correctness and weakly preserves Alice's security. To see that Wa (as well as the composed 
firewall Wb ° Wa) is strongly exfiltration-resistant against an eavesdropper, we note additionally that 

(u'^jc'j,) = {ubg^ , ebg^'^) for r Zp. The result then follows from the assumption that DDH is hard in G. 

Turning to Bob's RF, in order to prove robustness, it suffices to show that no PPT adversary can distin- 
guish between >Vb(Co) and >Vb(Ci) with non-negligible advantage for adversarially chosen Q = {gi, Ci, di, hi) 
with gi 7^ Iq. 

- Game 1 is the game that asks an adversary to provide and (^i and distinguish between VVb(Co) and 
Wb(Ci)- III particular, the "challenge message" takes the form 

ig*,c*,d*,h*) = {g^,c^gr',dtgr',Kcfdr'gf'') , 

where g <— Iq, {gb, Cb, db, hb) = Cb are adversarially chosen with g ^ Iq, and (a, x', y') Z^. 

- Game 2 is Game 1 with the challenge message replaced by 

{g\c\d\h*) = {gt,ctgr\dtgf,htcfdfgf) , 

$ $ 

where g ^ Iq, {gb, Cb, db, hb) = Cb are adversarially chosen with g ^ l^, and (q, x' , y' , z') <— Z^. 

- Game 3 is Game 2 with the challenge message replaced by four uniformly random group elements. 

Claim 2.1. For any PPT adversary A, |Adv^°™^ ^{A) - Adv^""*^ ^{A)\ is negligible if DDH with a hint 
is hard in G. 

Proof. Fix A. We construct an adversary A' in the DDH with a hint game as follows. 

1. (Co,Ci,^)^^()- 

2. 6 {0, 1}. Parse {gb, Cb, db, h) ^ Cb- 

3. Sample a -h- Zp. 

4. Send {g^ , d'j^ , c'^) to the DDH with a hint challenger, and receive response {gb^ , gb^ , gb^ ,d^^ ,c^^). 

5. b* I A{a, {g^, 4gr,dtgb^ Kct'd^g^^)). 

6. Output 1 if and only if 6 = 6* 

Clearly, if z = xy, then the view of A in the above game is distributed identically to its view in Game 
$ 

1, and if z Zp, then the view of A in the above game is identically distributed to its view in Game 2. 
The claim follows from the hardness of DDH with a hint in G. (2.1) B 

The result follows by noting that the difference between Game 2 and Game 3 is merely syntactic and 
that no adversary can have any advantage in Game 3. 

□ 



D Details of the firewalls from Section 5 

In Figure 10, we present an algorithm Rerandcarbie that rerandomizes the garbled circuits from Section 4. 
The rerandomization of the ciphertexts is accomplished by five subprocedures that work in concert. The 
procedure Permute reorders the ciphertexts corresponding to a given vertex according to the random bits 
6*, and the procedure Flip^ flips the location bits in the manner in Section 4 so that they remain 
consistent with this new ordering. Similarly, Qhang&rp rerandomizes tags tJ*^ to new tags Tz'^\ and the 
procedure Change^jg^^ converts ciphertexts under the old secret key ■ Tr to ciphertexts under the new 
key T'j^ ■ T'^. Finally, RerandEnc simply rerandomizes all of the ElGamal ciphertexts in the standard way, 
mapping {g^,h^T) to {g^'^'^ , h^'^'^ T). Intuitively, these functions together "reset all of the randomness used 
to garble the circuit." 

In Figure 11, we present Bob's reverse firewall for the private function evaluation protocol from Section 4 
for completeness. We note that it is nearly identical to Bob's firewall from Section 3. 
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proc. RerandGarbie((^z), (ffd), {TZz,Pz, K)) 
ai ^ 1; 5i ^ fli 
FOR d = 2,...,D, 



Permute(^2 



FOR z in V\I, 

{hrji Urf> ^175 ^T7)l7e{0,l}2 

d depth(a) 

K t {0, 1} 

FOR T/ in {0, 1}^ 

IF 6* = 1, ^ Flip^(?);,,TO;,,d) 

(«i,,et,, v^, w^) Changey(M^,e^,v^,wi,,2) 
{h'n,u'n,v'r,) ChangeKey(/it,,wi,,'y^,^;,??o,?7i) 

$ 

(i/^,e^, ^ RerandEnc(/i^,'W^,e^,i;^,'u;^,rf) 

- (/i-r/) '^Tj; ^775 ^175 '^17)t7€{0,1}2 

OUTPUT {{K),{g'S)) 

proc. RerandEnc(ft, M, e, t;, w, d) 

OUTPUT {ug'/,eh'^',vg'/,wh'') 



A' 



proc. Permute(a) 

PARSE (Ci)^e{o,i}2 ^ 
FOR (ri,rfl) £ {0,1}^ 

OUTPUT (C;)^g{o,i}= 

proc. Flip^(u, (ij, d) 
OUTPUT (i;"\M)"^g'd) 

proc. Changey(-u, e, V, w, 
d ^ depth(2) 

IF 2 G O, OUTPUT (w°'',e"'',t;"'',w°'') 
OUTPUT (m • v'/^' ,e-nz- w'^^ 

proc. ChangeKey(/i,w,w,2,rl,,rH) 
d <— depth («) 

/t: l<-L(z)l<-R(z)gcl-i 

IF /i= 1g,, ft' ^Gd\{lGj 
ELSE, ft' ^ /i"'*'^ 



OUTPUT (ft',w',t;') 



Fig. 10: The algorithm Rerandcarbie rerandomizes garbled circuits in the form of the output of the algorithm Garble shown 
in Figure 5. In addition to a garbled circuit {{Az),{gd))-i the algorithm also takes as input masks {TZz, l3z,K) for the input 
vertices. It outputs rerandomized ciphertexts {A'^) and rerandomized group elements {g'd)- The location bits ri*"^ corresponding 
to input vertices are replaced by r^''"' = ri*"^ ® 6*. Tags Ti*"' corresponding to input vertices in the original circuit are replaced 
by tags ' • 7^^ • gp ' . 



E Proof of Proposition 3 (security of the PFE protocol) 



Proof of Proposition 3. Correctness follows immediately. Security for Bob follows from the security of the 
oblivious transfer protocol (see Section 3). 

To prove security for Alice, we need to show that there exists a probabilistic polynomial-time simulator 
S such that for any adversarially chosen input (C,a;), the output of S on input x with access to the ideal 
functionality T is computationally indistinguishable from the view of Bob in the real protocol with input 
(C,.t). It suffices for S to query y ^ ^{x) and construct a constant circuit Cy whose output is y on all 
inputs. It can then simulate a run of the protocol with Bob on inputs Cy and x and output the view of 
Bob. 

It will be convenient to define a computation path on a garbled circuit {Az) with input tags and location 
bits {Tz,Tz) as the collection of all ciphertexts {h,u,e,v,w) that are decrypted during a run of the Eval 
function. With that, we define the following sequence of games. 

— Game 1 is the indistinguishability game between the output of S on input x (with access to the ideal 
functionality computing C) and the view of Bob in the real game on input (C,x). 

— Game 2 is Game 1 in which the group elements in Alice's input messages corresponding to tags and 
location bits of the form (Tz^ ''^'\, ri^ '^'''') for input vertices z are replaced by uniformly random group 
elements (in both the simulated world and the real world). 

— For d = 2 to Z), Game d + 1 is Game d in which all ciphertexts {h, u, e, v, w) at depth d that are not 
in the computation path are replaced by uniformly random group elements. 

The difference between Game 1 and Game 2 is merely syntactic. (See the proof of Proposition 1.) In 
the final game, Game D + 1, the views are identical. So, it suffices to show that no adversary's advantage 
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Alice Bob's Firewall Bob 



(ffi,c') 
< 



Setup Phase 



IF ffi = lG,,5l^Gi\{lGi} 



Input Phase (Oblivious Transfer) 

(For each z €T) 



y' ^ 

d' ^ d"g'/ 

h' -f- h°'c"y'd"'''gf''' 



e'o ^ eo/wo ; e'l ^ ei/u^ 

/ , 1/a / , 1/a 



(d,/l) 



{ub,e'b,v'b,w'b)l=o 



-t> 



Output Phase (Garbled Circuit) 

> 1> 



Fig. 11: Bob's firewall for the private function evaluation protocol shown in Figure 7. 
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in Game d is non-negligibly greater than its advantage in Game d+1. To that end, it will be convenient 
to define an intermediate game, Game d + 1/2. Note that in Game d, the ciphertexts at depth d take 
the form [h, g^, h^'T, g'^, ^^Oji) where h = (7^^"^^ for some tags T^, Tr G Gd-i- So, we define Game d+\/2 
as Game d in which each public key h that is not in the computation path is independently replaced by 
h' Gd, so that the full ciphertexts now take the form {h' , g^, h'^'T, g^, h"^g'^). 

Claim 3.1. For any probabilistic polynomial-time adversary B, jAdv^""*^ + - Adv*^""*^ '^{^)\ is 

negligible if DDH is hard in Gd- 

Proof. By Lemma 2, it suffices to show that the difference in advantages is small if G(i_i-subgroup fc-DDH 
is hard in Gd- Indeed, note that for a vertex z of depth d, the public keys satisfy 

hbi^,bR =9d 

where the t'^^ are in Gd-i - The adversary can efficiently compute half of the tags T^^ — those corresponding 

to the computation path. 

Let B be an adversary in Game d. Let k be the number of vertices of depth d — \. Then, we con- 
struct an adversary B' in the Gd_i-subgroup fe-DDH game in Gd- B' receives input {'yifl^^^^ ^'^'^^ = 
(71 ) (7i')f=i) {li'^)i<j) where the 7^ are elements of G, Xi are uniformly random elements from Gd-\, and 
either j/jj = xiXj or they are uniformly random elements from Zp^. B' then behaves as follows. 

L {C,x)lB{).y^C{x). 

$ 

2. Sample h <— {0, 1}. If 6 = 0, let C* = C- Otherwise, let C* = Cy, the constant circuit that always 
outputs y- 

3. Let be the vertices of depth d — 1 in some ordering. For a run of the protocol, let Tj represent 
the tag corresponding to Zi that is in the computation path. 

4. Simulate a run of the protocol as in Game d with input {C*,x) and gd fixed to 71, but replace each 
public key h by h' at depth d with parent vertices Zi and zj as follows. 

(a) If h is in the computation path, then simply set h' ■h- h- 

(b) If one parent of h, Zj, is in the computation path and the other, Zi, is not, set h' ■<— (7i')^-'- 

(c) If neither parent of h is in the computation path, set h' <— jf^'^ . 

5. Provide B with the view of Bob, receiving its output bit 6*. 

6. Output 1 if and only if 6 = 6*. 



It suffices to show that the view of B in the above game is identical to its view in Game d when 

$ 

Uij = XiXj and that it is identical to its view in Game d+ 1/2 when yij Zp^. To see this, recall that 
in both games, all elements off of the computation path of depth d — 1 are uniformly and independently 
random. Therefore, the tags rj*'' at depth d—1 that are off of the computation path are uniformly random 
and independent of all other elements, like the Xj. The claim follows. (3-1) ■ 



Claim 3.2. For any probabilistic polynomial-time adversary B, |Adv^""*^ '^+\B) - Adv^""*^ + 
is negligible if DDH is hard in Gd- 

Proof. Each ciphertext off of the computation path is of the form [h' , g^^^, h''^T, g^, h'^ g'^) where h' , r and 
s are uniformly random (and the other elements are all efficiently computable). The claim then follows 
immediately from the assumption that DDH is hard in Gd- (3.2) ■ 

The result follows from the claims. 

□ 
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F Proof of Theorem 4 (security of the PFE firewalls) 



Proof of Theorem 4- The proof of the first statement is nearly identical to the proof of Theorem 2 (the 
corresponding theorem for the oblivious transfer protocol from Section 3) . 

It should be clear that Alice's reverse firewall maintains correctness. To prove security, fix some tam- 
pered implementation A that maintains functionality. Let S be the simulator from the proof of Proposi- 
tion 3. For convenience, we also imagine that the simulator calls the Rerandcarbie function on the garbled 
circuit that it produces before sending it to Bob. (This is simply a syntactic change.) As in the proof of 
Proposition 3, we define the computation path as the collection of ciphertexts in the garbled circuit that 
Bob decrypts in a given run. Note that this computation must be well-defined (with all but negligible 
probability) because A maintains functionality. We define the following sequence of games. 

— Game 1 is the indistinguishability game between the output of S on input x (with access to the ideal 
functionality computing C) and the view of Bob in the real game on input {C,x). 

— Game 2 is Game 1 in which the group elements in Alice's input messages corresponding to tags and 
location bits of the form (tJ^ ri^ ^''■') for input vertices z are replaced by uniformly random group 
elements (in both the simulated world and the real world). 

— For d = 2 to D, Game d-l- 1 is Game d in which, all ciphertexts {h, u, e, v, w) at depth d that are not 
in the computation path of Bob are replaced by uniformly random group elements. 

The difference between Game 1 and Game 2 is simply syntactic. (See the proof of Proposition 1.) 
As in the proof of Proposition 3, we define an intermediate game. Game d+1/2. Note that in Game d, 
the ciphertexts at depth d output by the reverse firewall take the form (h', g'J u', h"' e', g'^ v', w') where 
r' and s' are uniformly random (see the function RerandEnc in Figure 10). So, we define Game d+1/2 as 
Game d in which each of each public key h' that is not in the computation path is independently replaced 
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by h" <— Gd, so that the full ciphertexts now take the form {h" , g'J u' , h""^ e' , g'^ v' , h 

Claim 4.1. For any probabilistic polynomial-time adversary B, |Adv^""*^ '^ + ^/^(i3) - Adv*^""**^ '^{^)\ is 
negligible if non-uniform DDH is hard in Gd- 

Proof. We consider the effect of Change^ey from Figure 10 on the ciphertexts {A^) corresponding to vertices 
of depth d. First, consider the ciphertexts corresponding to one such vertex, A^ = {hrj,Urj, e^^^Vj^, ^i'Tj)»7e{o,i}2 
with hfj 7^ 1. The function ChangeKgy sets 

T^n = T^L{z)T^n(z)9d-i 

and h'^ = h'^f^'^ where 'R-l{z)^ '^R{z)j Pl{z)i Pr{z) ^re uniformly random and rj = (r/o,??i)- It therefore 
follows that the collection of all public keys h at depth d takes the form {h-j^ )i<^j where the hi^j G Gd 

are chosen by either the simulator or the tampered implementation A and each Xi is a mask Tl^z'^ld-t 
some T and some z' with depth d—\. Note that the masks Xi corresponding to the computation path can 
be efficiently computed from the original circuit and the output of the rerandomization algorithm. 

By Lemma 3, it suffices to show that the difference in advantages is small if chosen bases Gd_i-subgroup 
fc-DDH is hard in Gd- Recall that in this game, B' must provide and {Si,j)i<j, all elements in Gd- 

It then receives ((7f')f=i) ('^f j^)i<j) where the Xi are uniformly random elements from Gd-i and either 
Vij = XiXj or they are uniformly random elements in Z^^. So, let B be an adversary in Game d- Let 
k be the number of vertices of depth d — \- Then, we construct an adversary B' in the chosen bases 
Gd_i-subgroup A;-DDH game in Gd, which behaves as follows. 

1. {C,x)Ib{) 

2. y^C{x)- 
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3. Sample b <— {0, 1}. If 6 = 0, let C* = C. Otherwise, let C* = Cy, the constant circuit that always 
outputs y. 

4. Let (zi) be the vertices of depth d — 1 in some order. For a run of the Rerandcarbie function, define 
T^i = T^Zi • 9d-i where Tj is the bit corresponding to the computation path. 

5. Simulate a run of the protocol with Alice replaced by the firewall composed with ^ if 6 = 0 or the 
simulator if 6 = 1 until the garbled circuit is produced but before the Rerandgarbie function is called. 

6. Run Rerandcarbie on the garbled circuit, and replace all elements that are off of the computation path 
at depth less than d by uniformly random elements. Note that this defines the elements iJZi) and ad- 

7. For each public key h at depth d in the original garbled circuit with parents zi and Zj, do the following. 

(a) If one parent of h, Zj is in the computation path and the other, Zi, is not, set 7j h'^'^^K 

(b) If neither parent of h is in the computation path, set Sij ^°<^. 

8. If any values ■~fi or 6ij are not set, set them to arbitrary values. 

9. Send ((7j)f=i, (<5jj)i<i) to the Gd_i-subgroup fc-DDH challenger, receiving {{j^')^^^, {S^'f)i<j)- 

10. For each public key h' at depth d in the rerandomized garbled circuit with parents Zi and Zj, do the 
following. 

(a) If h' is in the computation path, set h" h'. 

(b) If h' has one parent zj in the computation path and the other Zi is not, set h" ^ jf^ 

(c) If neither parent of h" is in the computation path, set h" . 

11. Finish the run of the protocol by sending Bob the modified garbled circuit. 

12. Provide B with the view of Bob, receiving result b*. 

13. Output 1 if and only if 6 = 6*. 

It suffices to show that the view of B in the above game is identical to its view in Game d when 

yi,j = XiXj and that it is identical in Game d+1/2 when y^j •(— Zp^. To see this, recall that in Game d, 
all elements off of the computation path of depth d—1 are uniformly and independently random. Therefore, 
the random masks TZz ■ g^-i depth d—1 that are off of the computation path are uniformly random 
and independent of all other elements. The claim follows. (4-1) ■ 

Claim 4.2. For any probabilistic polynomial-time adversary B, |Adv^""*^ '^^^{B) - Adv*^""*^ + 
is negligible if DDH is hard in Gd- 

Proof. Each ciphertext off of the computation path is now of the form {h" , g'd u, h"^' e, g'f h"^'w) where 
h" , r' , and s' are uniformly random and the other elements are all efficiently computable (see the procedure 
RerandEnc)- The claim then follows immediately from the assumption that DDH is hard in Gd. (4.2) ■ 

Claim 4.3. The two views in Game D + 1 are identically distributed. 

Proof. It should be clear that the input messages are identically distributed in both views. In both garbled 
circuits, all elements not in the computation path arc uniformly and independently random. Along the 
computation path, the ciphertexts {h' ,u' , e' ,v' ,w') take the form (g'J ,h'^T',g'^ ,h'^g'J) where r' and 
s' are uniformly and independently random (see the procedure RerandEnc) and g'^ is uniformly random 
but fixed for each depth. Since the computation path is well-defined, t' must be a uniformly random bit 
(see the procedure Flip). For ciphertexts that do not correspond to output vertices, T' is also uniformly 
and independently random (see the procedure Change^^). Because A maintains functionality, tags in the 
computation path corresponding to output vertices satisfy T' = g^ where b is the corresponding output 
bit of C{x) with all but negligible probability (again, see the procedure Change^). Similarly, h' is uniquely 

determined by the elements before it in the path (or in the input messages) — in particular, it is g^^ ^ 
where T^, are the tags corresponding to the parents of the current node (see the procedure Change^gy). 
The computation path itself is uniquely determined by the bits r' (see the procedure Permute). 

The claim follows. (4.3) ■ 
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To see that Alice's reverse firewall is strongly exfiltration-resistant, consider the above argument 
which the computation path is empty. 
The result follows. 
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